Windows, macOS, and Linux licenses
FortiClient EMS supports per-endpoint and per-user licensing. You cannot use both license types on one FortiClient EMS instance.
The following are the latest license bundles for FortiClient EMS:
License name |
Description |
---|---|
Endpoint protection platform (EPP) |
Full license that offers all FortiClient features. Includes all features detailed for the zero trust network access (ZTNA) license, as well as antivirus (AV), antiransomware, antiexploit, cloud-based malware detection, Application Firewall, software inventory, USB device control, and advanced threat protection via FortiClient Cloud Sandbox (SaaS). Fortinet offers this license for both per-endpoint and per-user licensing. |
ZTNA |
Includes support for Fabric Agent for endpoint telemetry, security posture check via ZTNA tagging, remote access (IPsec and SSL VPN), Vulnerability Scan, Web Filter, and threat protection via Sandbox (appliance only). Each purchased ZTNA license allows management of one FortiClient Windows, macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum five year term. You can specify the number of endpoints and the term duration at time of purchase. If you do not apply a ZTNA license to EMS, no endpoints can register to EMS. Fortinet offers this license for both per-endpoint and per-user licensing. |
FortiSASE |
License that applies for deployments using FortiSASE. See FortiSASE. |
FortiGuard Endpoint Forensics Analysis |
The forensic service provides remote endpoint analysis to help endpoint customers respond to and recover from cyber incidents. For each engagement, forensic analysts from Fortinet’s FortiGuard Labs remotely assist in the collection, examination, and presentation of digital evidence, including a final detailed report. This is an add-on license that you can apply to per-endpoint and per-user EPP, ZTNA, and FortiSASE licensing. On-premise EMS only supports this feature for Windows endpoints. |
You can purchase different numbers of EPP and ZTNA licenses. For example, you can purchase 100 EPP licenses and 200 ZTNA licenses. EMS applies licenses based on the features that are enabled in the endpoint's assigned profile.
For per-user licenses, you can manually remove or exclude users from management to free up license seats. Each per-user license allows the user to register three devices. If a user registers a fourth device, they consume two licenses.
When using per-user licensing, using user verification is recommended. See User Management. If an endpoint connects to EMS by specifying the EMS IP address or using an invitation code, without using user verification, EMS considers the locally logged-in user identity as consuming a user license. |
The following shows a more comprehensive comparison between the features included in the EPP and ZTNA licenses:
Feature |
EPP |
ZTNA |
---|---|---|
Zero Trust Security |
||
Zero Trust Agent |
Yes |
Yes |
Central management via EMS |
Yes |
Yes |
Dynamic Security Fabric connector |
Yes |
Yes |
Vulnerability agent and remediation |
Yes |
Yes |
SSL VPN with multifactor authentication (MFA) |
Yes |
Yes |
IPsec VPN with MFA |
Yes |
Yes |
Integration with FortiSandbox (on-premise/PaaS) |
Yes |
Yes |
Next Generation Endpoint Security |
||
AI-powered next generation AV |
Yes |
|
FortiClient Cloud Sandbox (SaaS) |
Yes |
|
Automated endpoint quarantine |
Yes |
|
Application inventory |
Yes |
|
Application Firewall |
Yes |
|
Software Inventory |
Yes |
|
You must purchase a license for each registered endpoint or user. |